Be curious to search Google for the string and try to determine how many
of these sites were vulnerable, but NOT running custom-built sites, rather
running COTS that happen to be vulnerable.
---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/
By Dan Goodin
The Register
25th April 2008
The sophisticated mass infection that's injecting attack code into
hundreds of thousands of reputable web pages is growing and even
infiltrated the website of the Department of Homeland Security.
While so-called SQL injections are nothing new, this latest attack, which
we we reported earlier, is notable for its ability to infect huge numbers
of pages using only a single string of text. At time of writing, Google
searches here, here and here showed almost 520,000 pages containing the
infection string, though the exact number changes almost constantly. As
the screenshot below shows, even the DHS, which is responsible for
protecting US infrastructure against cyber attacks, wasn't immune. Other
hacked sites include those belonging to the United Nations and the UK
Civil Service.
The attack causes infected sites to redirect visitors to destinations that
attempt to install malware on vulnerable machines. At time of writing, the
malicious payloads attacked vulnerabilities that already have been
patched. And in any case all three of the redirection sites were down,
possibly because they were unable to handle the demand. But should the
attackers get their hands on a newer exploit - say, one targeting a
zero-day vulnerability in QuickTime - it would be relatively easy for them
to swap out the payload.
One reason the infection has spread so widely is the attackers have
managed to find a single attack string that seems to work on tens of
thousands of different sites. Most web applications are custom -built for
a particular site, so attackers likewise have to custom design attack
parameters to exploit weakness. Not so here.
"These guys look like they've found a methodology to get a successful SQL
injection generically across [many] websites," said Jeremiah Grossman, CTO
of WhiteHat Security, which helps companies secure web applications. "That
right there is like a skeleton key."
[..]